Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp84198ybi; Thu, 20 Jun 2019 18:22:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqz/uVW3wuQIQ0IwfJbxQl4ikG7ilx1nd428r3DzJYyKjBx6evypxiBuyoqPI4UvHqQba+4s X-Received: by 2002:a63:5726:: with SMTP id l38mr16055758pgb.344.1561080122315; Thu, 20 Jun 2019 18:22:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561080122; cv=none; d=google.com; s=arc-20160816; b=fy9A/kMNh+W/27SIfQ/YxGV6rexBZH+vRmyWaV6+hz2T1DUPDHt7ruDNlgf8ck7Ekn JsEiMb07U+AYoK03nG8N/rTSs0eHSSCSEWGAtR0uNHf+DrJ6UAkQuHWfbdpleWjn0egn nxoW+6FxhkXQTOiyl2SJ3TekBtlKBKFu1SYKFfPQhE7eyKvYE1fAN0Cq1697uW4bQnUX SiUABgPn8ikuHvuMgvesGLfpBYHbwz6XAa8nhnxY5xup+tn7j52UO/2J2QSxn2CGM/cO 8075B3ciejW6PwxFD/6JYr1mjACHYvnnWk6gXSWTgc3W8vq036en6wagMdWUNKnhcMOn wPNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=X+spaxNTDtzOavXCOZulSz3gCHiK1Z4KEx0/1FYpsLk=; b=uBSR+C153kaAOG4Zv/EWX37D3NKKyxSFUNMMmJMXhNfH2EYVz0YS5waQ7iDhjWM2wk 6+w8M+N/eqLPJYq7pyGmMYCuz5tgGyVPC9lO2FCcE0+PjtDbLWv35+LR20Ib+99YxBIN MGXE/m2ylJDE7rXzR+lFRa56jmpyHL2h0y+lH7O7bebm+IeyWkdRIs6m+oZhj2Xbudmj m72LmQYA6+dix+NMEdgkPxd7SfosRqKYj77TTrPjVZpCKnruyYvOzblc0GF4YARO7rH9 H3pLPa+XEp+nYJiWSx4PSD/3uf+9C5mbh0lu36Qbvcia11yY1jI9KQWB8KBVmarGiDOv o+Ww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=NugahSiL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 63si1102049pfg.192.2019.06.20.18.21.47; Thu, 20 Jun 2019 18:22:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=NugahSiL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726916AbfFUBVB (ORCPT + 99 others); Thu, 20 Jun 2019 21:21:01 -0400 Received: from mail-vs1-f74.google.com ([209.85.217.74]:47672 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726822AbfFUBUt (ORCPT ); Thu, 20 Jun 2019 21:20:49 -0400 Received: by mail-vs1-f74.google.com with SMTP id d139so1580352vsc.14 for ; Thu, 20 Jun 2019 18:20:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=X+spaxNTDtzOavXCOZulSz3gCHiK1Z4KEx0/1FYpsLk=; b=NugahSiL2+bnOfMwUtvTk1vSDUneqRD5E8fRNkev54yO8MjHUAYtCZcXnwDXRco4La UFl5CnSb5dD8DD4U789xI0KNrSSQje+FVCx45vSBOz3vTlYXTKM6BwsgWYIk1ETyJuvN EynNdlcRb3NSOJwAQliPiGGQy28uDvhZoX/7+No9Tzsy9HKIMLUO7HllrePlbiUX4VW+ eD9xwTf1I1qO2cGjk4TdJy0C23Z+amOWALITnlzcXREgAmSUY2Ze7ULEF99fEgW8Hfl8 VAz1jm7oMRaOO2y3Svh5KYQaulmBVXFwUdgxDxCiuqDewNPMOzJvL//l84t5T1Gy5XGb L80A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=X+spaxNTDtzOavXCOZulSz3gCHiK1Z4KEx0/1FYpsLk=; b=htC+WKnAn+MJSxG8OcVC6XYnAnXrEkNYK3rRxVMcSBQUhg+ntK2zXQKZ2rCvCJ/aOB AvPNlCkThen+yI4fcrbNb1fCNp3yQfzEH24QdPmFuCd+e1IkiDRlqoqEUEljPrvd/lQQ 0mf/P6yBrLkPwXD2jk2vYgagQjqGNBAxVpr0iB4AM+e5FK3HtWObIUcDVnlhvM9weQP9 8r7aYTO/o9OHGC8yt/pVlssZ38vb4xiM9azcG7IuC5rSlLp5dNv1NYeR4AvoEocFgWm+ RtSQigEtKMv1e77xmO5xI+6XvZxEPbKV9c4KGxwckql5dV1bM00y/HT/WG4+iVP2soyw wrjQ== X-Gm-Message-State: APjAAAXVObH48m3RnaEN3Ip1QQzLmVuCSQGThdWG9i1AafFt5WhPZvMH Q/GUKS0CkhqmA+RsV+S0PpvULYTBCY7hVER4PeuIgg== X-Received: by 2002:a67:f6d4:: with SMTP id v20mr58900267vso.174.1561080048229; Thu, 20 Jun 2019 18:20:48 -0700 (PDT) Date: Thu, 20 Jun 2019 18:19:35 -0700 In-Reply-To: <20190621011941.186255-1-matthewgarrett@google.com> Message-Id: <20190621011941.186255-25-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190621011941.186255-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , netdev@vger.kernel.org, Chun-Yi Lee , Daniel Borkmann Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction. Disable them if the kernel has been locked down in confidentiality mode. Suggested-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov Cc: Daniel Borkmann --- include/linux/security.h | 1 + kernel/trace/bpf_trace.c | 11 +++++++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 13 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index dae4aa83352c..8bf426cdd151 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -97,6 +97,7 @@ enum lockdown_reason { LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, + LOCKDOWN_BPF, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index d64c00afceb5..6f57485df840 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -137,6 +137,9 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) { int ret; + if (security_is_locked_down(LOCKDOWN_BPF)) + return -EINVAL; + ret = probe_kernel_read(dst, unsafe_ptr, size); if (unlikely(ret < 0)) memset(dst, 0, size); @@ -156,6 +159,8 @@ static const struct bpf_func_proto bpf_probe_read_proto = { BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src, u32, size) { + if (security_is_locked_down(LOCKDOWN_BPF)) + return -EINVAL; /* * Ensure we're in user context which is safe for the helper to * run. This helper has no business in a kthread. @@ -207,6 +212,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1, char buf[64]; int i; + if (security_is_locked_down(LOCKDOWN_BPF)) + return -EINVAL; + /* * bpf_check()->check_func_arg()->check_stack_boundary() * guarantees that fmt points to bpf program stack, @@ -534,6 +542,9 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, { int ret; + if (security_is_locked_down(LOCKDOWN_BPF)) + return -EINVAL; + /* * The strncpy_from_unsafe() call will likely not fill the entire * buffer, but that's okay in this circumstance as we're probing diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 89ad853daec2..0a3bbf1ba01d 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -33,6 +33,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", + [LOCKDOWN_BPF] = "use of bpf", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.410.gd8fdbe21b5-goog